You’re probably fairly safe with this setup.
A few things I’d consider:
1. Make sure that ALL input data from the student is valid and escaped. Do not only rely on ACF for this but rather run it through your own checks too. For example if the code they should supply is numbers only make sure that the input value is a float (or int), strip all values of tags etc. etc.
2. Remember that emails can be compromised so it is probably also a good idea to set a time restriction for the verification code. For instance you could make the code invalid after 1h. That way you are sure it does not matter if a students email gets hacked later on etc.
3. Consider using shortlived WordPress transients for storing the data instead of PHP session? Or be sure to check up on your session security: http://php.net/manual/en/session.security.php
Beyond that I think your biggest possible flaws would be human error like not updating plugins, having unsecure passwords etc.
Welcome to the Advanced Custom Fields community forum.
Browse through ideas, snippets of code, questions and answers between fellow ACF users
Helping others is a great way to earn karma, gain badges and help ACF development!
© 2022 Advanced Custom Fields.